john.bowman--- via FreeIPA-users wrote:
> 
> Bump hoping someone can confirm whether or not this is a good next step to 
> try to resolve the issue.  Mainly concerned that the solution only mentions:
> 
> Red Hat Identity Management (IPA) 4.3, 4.4
> Red Hat Enterprise Linux (RHEL) 7.2 and 7.3
> 
> And we have RHEL 6 and IPA 3.x as well in the environment.

I think that is more for an established agreement than a new one. During
the process of creating a new master this value should be created. If
you poke at the 389-ds access log during the replica installation you
might be able to determine if this is happening, succeeding or what.

rob

> 
> Thanks!
> 
>> I tried a fresh install with the same result.  The new replica install 
>> process completes
>> successfully but it does not register as a master.  When I look at the 
>> replication status
>> via ipa-replica-manage it shows this:
>>
>> # ipa-replica-manage list -v ipa8.domain.tld
>> Directory Manager password:
>>
>> ipa1.domain.tld: replica
>>   last init status: None
>>   last init ended: 1970-01-01 00:00:00+00:00
>>   last update status: Error (3) Replication error acquiring replica: Unable 
>> to acquire
>> replica: permission denied. The bind dn does not have permission to supply 
>> replication
>> updates to the replica. Will retry later. (permission denied)
>>   last update ended: 1970-01-01 00:00:00+00:00
>>
>> When I try to create a new replication agreement via ipa-replica-manage 
>> connect I get this
>> message:
>>
>> # ipa-replica-manage connect ipa4.domain.tld
>> Directory Manager password:
>>
>> Connection unsuccessful: ipa4.domain.tld is an IPA Server, but it might be 
>> unknown,
>> foreign or previously deleted one.
>>
>> I saw this article:
>> https://access.redhat.com/solutions/2988311
>>
>> I checked all my replicas and they show:
>> $ ldapsearch -o ldif-wrap=no -D "cn=directory manager" -W -b
>> "cn=replication managers,cn=sysaccounts,cn=etc,dc=domain,dc=tld"
>> Enter LDAP Password:
>> # extended LDIF
>> #
>> # LDAPv3
>> # base <cn=replication managers,cn=sysaccounts,cn=etc,dc=domain,dc=tld> with 
>> scope
>> subtree
>> # filter: (objectclass=*)
>> # requesting: ALL
>> #
>>
>> # replication managers, sysaccounts, etc, domain.tld
>> dn: cn=replication managers,cn=sysaccounts,cn=etc,dc=domain,dc=tld
>> member:
>> krbprincipalname=ldap/ipa2.domain.tld(a)DOMAIN.TLD,cn=services,cn=accounts,dc=domain,dc=tld
>> member:
>> krbprincipalname=ldap/ipa4.domain.tld(a)DOMAIN.TLD,cn=services,cn=accounts,dc=domain,dc=tld
>> member:
>> krbprincipalname=ldap/ipa7.domain.tld(a)DOMAIN.TLD,cn=services,cn=accounts,dc=domain,dc=tld
>> member:
>> krbprincipalname=ldap/ipa3.domain.tld(a)DOMAIN.TLD,cn=services,cn=accounts,dc=domain,dc=tld
>> member:
>> krbprincipalname=ldap/ipa5.domain.tld(a)DOMAIN.TLD,cn=services,cn=accounts,dc=domain,dc=tld
>> member:
>> krbprincipalname=ldap/ipa6.domain.tld(a)DOMAIN.TLD,cn=services,cn=accounts,dc=domain,dc=tld
>> member:
>> krbprincipalname=ldap/ipa1.domain.tld(a)DOMAIN.TLD,cn=services,cn=accounts,dc=domain,dc=tld
>> member:
>> krbprincipalname=ldap/ipa8.domain.tld(a)DOMAIN.TLD,cn=services,cn=accounts,dc=domain,dc=tld
>>
>> I also checked this on the new server:
>>
>> # ldapsearch -xLLL -D "cn=directory manager" -W -b "cn=config"
>> "(cn=replica)" nsds5replicabinddngroup nsds5replicabinddngroupcheckinterval
>> Enter LDAP Password:
>> dn: cn=replica,cn=dc\3Ddomain\2Cdc\3Dtld,cn=mapping tree,cn=config
>> nsds5replicabinddngroup: cn=replication 
>> managers,cn=sysaccounts,cn=etc,dc=domain,dc=tld
>> nsds5replicabinddngroupcheckinterval: 60
>>
>> dn: cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config
>> nsds5replicabinddngroup: cn=replication 
>> managers,cn=sysaccounts,cn=etc,dc=domain,dc=tld
>> nsds5replicabinddngroupcheckinterval: 60
>>
>> On the other 4.x IPA servers (all non CA replicas) it showed the first 
>> stanza like above
>> and on the 3.x servers it only had:
>> $ ldapsearch -o ldif-wrap=no -xLLL -D "cn=directory manager" -W -b
>> "cn=config" "(cn=replica)" nsds5replicabinddngroup
>> nsds5replicabinddngroupcheckinterval
>> Enter LDAP Password:
>> dn: cn=replica,cn=dc\3Ddomain\2Cdc\3Dtld,cn=mapping tree,cn=config
>>
>> Anything else I should verify as well that might lead to a solution?
>>
>> Thanks!
>>
>>> After some trial and error I was finally able to get a new replica + CA 
>>> (RHEL7.4 and
>>> ipa-server 4.5) added to our existing mixed (RHEL 6 and ipa server 3.0 - 
>>> 4.x) and
>> the
>>> ipa-replica-install command completed successfully but now when I run the
>>> ipa-manage-replica -v list <host> command I see this:
>>>
>>> # ipa-replica-manage -v list ipa5.domain.tld
>>> Directory Manager password:
>>>
>>> ipa1.domain.tld: replica
>>>   last init status: None
>>>   last init ended: 1970-01-01 00:00:00+00:00
>>>   last update status: Error (3) Replication error acquiring replica: Unable 
>>> to
>> acquire
>>> replica: permission denied. The bind dn does not have permission to supply
>> replication
>>> updates to the replica. Will retry later. (permission denied)
>>>   last update ended: 1970-01-01 00:00:00+00:00
>>>
>>> I ran the ipa-replica-manage re-initialize and it runs successfully and the 
>>> above
>>> permission denied error goes away but the host can not be connected to any 
>>> other
>> replicas,
>>> it no longer sees itself as a replica or csreplica.  I assume this is due 
>>> to the
>> re-init. 
>>>  I'm leery of trying to force it to try and join and potentially cause more
>> issues.  
>>> I would appreciate any helpful suggestions.
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> 
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to